Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spy Sheriff owns me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spy Sheriff owns me

Unread postby TheHux » July 21st, 2005, 11:23 pm

Spy Sheriff is driving me insane. Im house sitting for friends and sure enough I managed to get Spy Sheriff on their computer. Now, I gotta get it out before they get back next week! Im desperate!

Thank you to one and all who help.

Below are the Ewido and HiJackThis logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:43:44 PM, 21/07/2005
+ Report-Checksum: CDC4C992

+ Scan result:

C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\symcsvc.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\ztoolb004.dll -> Spyware.Zbar : Cleaned with backup
C:\WINDOWS\system32\msexnpfi.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Merran\Application Data\Mozilla\Firefox\Profiles\cl7ards7.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Backup\Merran\Cookies\merran@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Backup\Merran\Cookies\merran@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Backup\Merran\Cookies\merran@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Backup\Merran\Cookies\merran@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Backup\Merran\Cookies\merran@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Backup\Merran\Cookies\merran@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Backup\Merran\Cookies\merran@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Backup\Merran\Cookies\merran@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Backup\Merran\Cookies\merran@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Backup\Merran\Cookies\merran@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Backup\Merran\Cookies\merran@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Backup\Merran\Cookies\merran@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Backup\Merran\Cookies\merran@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Backup\Merran\Cookies\merran@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Backup\Merran\Cookies\merran@ehg-hasbro.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Backup\Merran\Cookies\merran@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End


=============================================

Logfile of HijackThis v1.99.1
Scan saved at 5:05:37 PM, on 21/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Documents and Settings\Merran\Desktop\Nick\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Merran\Desktop\Nick\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\~update.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\Documents and Settings\Merran\Desktop\Nick\HiJackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.sympatico.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\system32\~update.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1457537640
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{03F3CBF6-9969-4FDC-9CD5-CE02BF277D5C}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F1E3C2-3284-42D7-AB8E-BE4A84FA3F5A}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{03F3CBF6-9969-4FDC-9CD5-CE02BF277D5C}: NameServer = 69.50.188.180,85.255.112.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Merran\Desktop\Nick\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Merran\Desktop\Nick\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
TheHux
Active Member
 
Posts: 1
Joined: July 21st, 2005, 11:18 pm
Advertisement
Register to Remove

Re: Spy Sheriff owns me

Unread postby Perculator » July 22nd, 2005, 1:40 am

I will take a look at your log, and reply to it after i get back from work
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Re: Spy Sheriff owns me

Unread postby Perculator » July 22nd, 2005, 12:25 pm

Hello


Please uninstall IPInSightLAN 01, cause IP Insight is a Quality of Service monitor and diagnostic tool that isn't required his one constantly "phones home" and wastes resource

You can do that by going to:
Start
Control panel
Add/Remove Programs

Then Select Visual Networks/Visual IP InSight by clicking on it and then press the change/remove button.

***
Go to Start->Run and type Services.msc
then hit Ok
Scroll down and find the service called:

svchost.exe



When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows


  • Open HiJackThis
  • Click on Open the Misc Tools Session
  • click on "delete an NT service"
  • Copy and paste this in: moto
  • Click "ok
Now close the windows you have opened.


Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.sympatico.ca/

O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l

O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"

O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\system32\~update.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{03F3CBF6-9969-4FDC-9CD5-CE02BF277D5C}: NameServer = 69.50.188.180,85.255.112.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{E2F1E3C2-3284-42D7-AB8E-BE4A84FA3F5A}: NameServer = 69.50.188.180,85.255.112.5

O17 - HKLM\System\CS1\Services\Tcpip\..\{03F3CBF6-9969-4FDC-9CD5-CE02BF277D5C}: NameServer = 69.50.188.180,85.255.112.5

O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Now click Fix checked
And close hijack this
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

***
We need to make sure all hidden files are showing so please:
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Now delete the following files or folders
files
C:\WINDOWS\system32\~update.exe
C:\WINDOWS\svchost.exe
folders
C:\Program Files\Visual Networks



Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections, cause ewido will also fla parts of avg in some cases."
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Nick-YF19 » August 14th, 2005, 4:06 am

While we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware